Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

What is the priority of firewall policy, IPS and customized IPS?

Created: 06 Dec 2012 • Updated: 06 Dec 2012 | 5 comments
This issue has been solved. See solution.

I am testing customized IPS to drop some traffic.

there is a software using UDP to send login info to server, and if UDP is blocked, then it uses TCP to send login info.

I can block UDP port it uses because it is not a common port, but the tcp ports 80/443 it uses which can not be blocked.

and  it is not a good solution to block the server's DNS name or IP, because the server list always changes.

so i think if i can use customized IPS to drop the login info package.

and I do succeed to drop TCP package but fail to drop UDP package.

my test:

If I use default firewall policy, and apply customized IPS, the software can login.

If I use default firewall policy but just add a BLOCK ALL UDP rule ahead Allow ALL APPS rule, and apply customized IPS, then the software fail to login.  and i can see in IPS logs that drop the TCP login info package.

so i am confused what is the priority of firewall policy, IPS and customized IPS? 

if firewall policy is higher, customized IPS will do nothing.

if customized IPS is higher, i should be able to see in IPS logs that drop UDP and TCP package.

my customized IPS are:

------------------------------

rule udp, dest=(xxxx),msg="DROP XXX UDP LOGIN",content="\x01\x01\x01"

rule tcp, dest=(80,443),msg="DROP XXX TCP LOGIN",regexpcontent="\x01\x01\x01" (58,3)

------------------------------

so if there is someone can give me an answer?

thanks in advanced.

Comments 5 CommentsJump to latest comment

Brɨan's picture

Check this KB article:

About the firewall rule, firewall setting, and intrusion prevention processing order

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Leo Young's picture

THANKS..

Ok. Now I know that custom IPS is the first priority.

so is there anything wrong with my custom IPS setting?  why it can not drop my UDP package as i want?

Brɨan's picture

What version are you running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Leo Young's picture

After I remove "content" from my UDP custom IPS, it works.

So I think I did not get the right data segment of UDP package to drop.